[Federal Register Volume 64, Number 178 (Wednesday, September 15, 1999)]
[Notices]
[Pages 50058-50061]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-24014]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology
[Docket No. 970725180-9196-03]
RIN No. 0693-ZA16


Request for Comments on the Finalist (Round 2) Candidate 
Algorithms for the Advanced Encryption Standard (AES)

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice; request for comments.

-----------------------------------------------------------------------

SUMMARY: A process to develop a Federal Information Processing Standard 
(FIPS) for an Advanced Encryption Standard (AES) specifying an Advanced 
Encryption Algorithm (AEA) has been initiated by the National Institute 
of Standards and Technology (NIST). In the Fall of 1998, NIST announced 
fifteen publicly submitted algorithms as candidates for the AES, and 
invites public review, comment, and analysis in order to narrow the 
field of candidates to (approximately) five or fewer finalists. During 
the Round 1 technical evaluation period, these fifteen candidates were 
subjected to extensive analysis and testing by the cryptographic 
community.

[[Page 50059]]

    At the conclusion of Round 1, NIST took the following information 
into consideration: (1) The submitted (official) versions of the AES 
candidate algorithms, (2) Round 1 public comments, (3) papers and 
discussions at the Second AES Candidate Conference, (4) results of NIST 
efficiency and statistical analysis, and (5) other relevant data (e.g., 
presentations at the Sixth Fast Software Encryption Workshop, 
discussions on NIST's AES Electronic Discussion Forum, etc.). Using 
this information, NIST has selected the AES finalist candidate 
algorithms (``finalists''), which will be subjected to further analysis 
during Round 2 of the AES development effort. A list of the finalists, 
along with specifications and intellectual property information, is 
available at the AES home page, http://www.nist.gov/aes.
    This notice announces the beginning of the Round 2 technical 
evaluation period for the AES finalists. Additionally, the notice 
solicits comments on the finalists from the general public, academic 
and research communities, manufacturers, voluntary standards 
organizations, and Federal, state, and local government organizations. 
NIST will use these comments to select one or more of the finalists for 
inclusion in a draft Federal Information Processing Standards 
Publication (FIPS PUB), on which public comments will be invited via a 
future Federal Register announcement.
    NIST's goal is that the AES will specify one or more unclassified, 
publicly disclosed encryption algorithm(s) available royalty-free 
worldwide that is (are) capable of protecting sensitive government 
information well into the next century.

DATES: Public comments for Round 2 are due May 15, 2000. Paper 
proposals for the Third AES Candidate Conference (which are also 
considered as public comments) are due to NIST by January 15, 2000. The 
Third AES Candidate Conference (AES3) is scheduled for April 13-14, 
2000.

ADDRESSES: Comments and paper proposals should be sent electronically 
to AES[email protected]. Alternatively, they may be sent to: Information 
Technology Laboratory Attn: AES Finalist Comments (Bldg. 820, Room 
423), National Institute of Standards and Technology, 100 Bureau Drive, 
STOP 8930, Gaithersburg, MD 20899-8930, U.S.A.
    AES-related comments received in response to this notice will be 
made part of the public record. Papers proposed for presentation at 
AES3 will be posted on the AES home page http://www.nist.gov/aes prior 
to the beginning of AES3. All additional Round 2 comments will be made 
available at the AES home page shortly after the Round 2 comments 
period closes.

FOR FURTHER INFORMATION CONTACT: The AES home page http://www.nist.gov/
aes has all current NIST information pertaining to the AES development 
effort. Recent results and ongoing discussions regarding the finalists 
and AES-related issues takes place at the AES Electronic Discussion 
Forum, http://aes.nist.gov/aes/default.htm. General questions may be 
directed to Edward Roback at (301) 975-3696, or [email protected].

Technical questions may be made by contacting Jim Foti at (301) 975-
5237, [email protected], or Elaine Barker at (301) 975-2911, 
[email protected].
    Algorithm-specific questions should be directed to the algorithm's 
submitter. Contact information for the submitters is located on the AES 
home page.

SUPPLEMENTARY INFORMATION:

1. AES Finalist Candidate Algorithms

    NIST has selected the AES finalists for Round 2. The list of 
finalists, along with their specifications and intellectual property 
statements, is available electronically at the AES home page. At that 
same location, NIST is also making available a document that presents 
the rationale for NIST's selection of the finalists.
    The Round 1 candidate algorithms that were not selected for Round 2 
are no longer part of the AES development effort, and, therefore, will 
not be selected for inclusion in the AES FIPS. Those algorithms 
(including the specifications and reference and optimized code) may or 
may not be in the public domain (this includes using the code for 
testing and research purposes), so algorithm implements, users, and 
others should be aware of the intellectual property status of each 
individual algorthm. When the algorithms were initially submitted 
before the start of Round 1, each submitter signed an intellectual 
property statement, part of which states that

    * * * If my algorithm * * * is not selected for inclusion in the 
FIPS (including those not selected for second round of public 
evaluation), I understand that all rights, including use rights of 
the reference and mathematically optimized implementations, revert 
back to the submitter (and other owner[s] as appropriate).

    Please note that the selection of an algorithm as a finalist does 
not constitute endorsement by NIST of the algorithm or it security. 
Similarly, the non-selection of an algorithm is not necessarily to be 
taken as a statement about the algorithm's quality, security, 
efficiency, or other characteristics. Algorithms selected as finalists 
were determined to be more suitable for the proposed FIPS. For specific 
details on an algorithm and its particular security characteristics, 
one should consult the various Round 1 public comments that were 
submitted to NIST (available on the AES home page).
    Although no formal process has been established to address minor 
modifications of the finalists that may become necessary, NIST reserves 
the right to work with the submitters of the finalists regarding any 
such modifications. NIST intends to do this in the most open and public 
manner possible. This is consistent with the made in the original call 
for candidate algorithms, to which all submitters agreed that

    * * * the U.S. Government may, during the course of the lifetime 
of the AES or during the FIPS public review process, modify the 
algorithm's specifications (e.g., to protect against a newly 
discovered vulnerability).

2. Availability of AES CD-3

    All persons with AES CD-1 and CD-2 should be aware of potential 
intellectual property issues with implementing and using algorithms on 
those CDs, especially for those algorithms that were not selected for 
Round 2. Please see the note in Section 1, above.
    In addition to making specifications available on the AES home 
page, during Round 2 NIST will make a CD-ROM available ( to be 
designatede ``AES CD-3'') which contains the algorithm specifications, 
supporting documentation, and submitted code for the AES finalists. It 
is anticipated that this code will be different from the code provided 
before the start of Round 1 (e.g., updated to be more efficient, 
additional code for various platforms, etc.). The submitters of the AES 
finalists are being given one month from the start of Round 2 to 
provide NIST with any updated code.
    AES CD-3 should be available approximately 2-3 months after the 
beginning of Round 2. When it is ready for distribution, NIST will re-
activate the AES CD Request Form at http://csrc.nist.gov/encryption/
aes/round1/cdreq.htm. To those people in the U.S. and Canada who 
received AES CD-2, NIST will automatically send a copy of AES CD-3. So, 
for those people, there will be no need to provide NIST with an 
additional CD-ROM request.

[[Page 50060]]

    Since AES CD-3 will contain algorithm code, it will be subject to 
export control, and NIST will handle export requests approriately. For 
those people outside of the U.S. and Canada who received AES CD-2 (for 
whom an export license was granted), AES CD-3 will automatically be 
distributed only after a new export license is granted and their copy 
of AES CD-2 is returned to NIST, as required by the conditions of the 
original export license. Information on where to send AES CD-2 is 
posted on the AES CD Request Form mentioned above.

3. Comments Solicited on the AES Finalists

    Written comments on the finalists are solicited by NIST in this 
Round 2 technical evaluation in order to help NIST select one or more 
algorithms for specification in a draft AES FIPS. To facilitate the 
review of the comments, NIST asks the submitters of comments to clearly 
indicate the algorithm(s) to which their comments apply. Also, as 
guidance to comment submitters, the original Evaluation Criteria 
published on September 12, 1997, are reproduced in Section 4 below.
    NIST will accept both general comments and formal analyses/papers 
that will be considered for presentation at the Third AES Candidate 
Conference (see Section 5 below).
    Since submitted comments will be made available to the public, the 
comments must not contain proprietary information.
    Comments and analysis are sought on any aspect of the candidate 
algorithms, including--but not limited to--the following topics.

3.1  Cryptanalysis

    Since security will be the most important characteristic of the 
selected algorithm(s), NIST strongly encourages and welcomes 
cryptanalysis of the finalists.

3.2  Intellectual Property of the AES Finalists

    NIST seeks detailed comments regarding any intellectual property--
particularly any patent not already identified by the finalists' 
submitters--that may be infringed by the practice of any of the 
finalists algorithms. This also includes comments from all parties--
including submitters--regarding specific claims that the practice of a 
finalist algorithm infringes on their patent(s). Claims regarding 
infringement of copyrighted software are also particularly solicited. 
NIST views this input as a critical factor in the eventual widespread 
adoption and implementation of the algorithm(s) specified in the FIPS.
    NIST reminds all interested parties that the adoption of AES is 
being conducted as an open standards-setting activity. Specifically, 
NIST has requested that all interested parties identify to NIST any 
patents or inventions that may be required for the use of AES. NIST 
hereby gives public notice that it may seek redress under the antitrust 
laws of the United States against any party in the future who might 
seek to exercise patent rights against any user of AES that have not 
been disclosed to NIST in response to this request for information.

3.3  Cross-Cutting Analyses of All of the AES Finalists

    Public analysis comparing the entire field of finalists in a 
consistent manner for particular characteristics will be very useful. 
Examples of this type of analysis might include comparisons of the 
finalists regarding: (1) Performance on various smart cards, when the 
implementations are constructed to defend against timing and power 
analysis attacks, (2) performance and/or memory use measurements, when 
written in the same programming language, (3) relative performance on 
64-bit processors, (4) performance of assembly language implementations 
on various platforms, and (5) performance of hardware implementations 
or simulations.
    Additionally, surveys, analyses, and comments are invited regarding 
prospective future platforms and applications that will implement the 
AES FIPS algorithm(s).
    During Round 2, NIST may take into consideration the issue of 
having ``variable rounds'' in the AES finalists. Therefore, NIST 
invites comments on how NIST should address the ``variable rounds'' 
issue during and after Round 2.

3.4  Overall Recommendations Regarding the Selection of the 
Algorithm(s) for the Proposed FIPS

    When all factors are considered, which candidate algorithm(s) 
should be selected for inclusion in the FIPS? Also, conversely, NIST 
seeks the identification and justification of which algorithms should 
not be selected by NIST. Such comments (with supporting justifications) 
will be of great use to NIST and help assure timely progress of the AES 
selection process.

3.5  Related Recommendations Regarding Implementation of the AES FIPS

    In addition to selecting the algorithm(s) to be included in the 
proposed FIPS, issues regarding the implementation requirements of the 
standard will also need to be addressed. Therefore, NIST is seeking 
comments (with rationale) on what requirements should be included in 
the FIPS. For example, if NIST selects multiple algorithms for 
inclusion in the proposed FIPS, should the standard require that 
products conforming to the FIPS implement (1) one algorithm, (2) two 
(or more) algorithms, (3) all algorithms, or (4) a varying number of 
algorithms, depending on the type of implementation (e.g., require all 
algorithms in software implementations, only one in hardware 
implementations, etc.)?
    Also, upon final publication as a FIPS, NIST intends to provide 
validation testing for implementations of the AES algorithm(s), as it 
does with other FIPS-approved cryptographic algorithms. Comments 
pertaining to such validation testing are also welcome.

4. Evaluation Criteria

    In the call for AES candidate algorithms (Federal Register, 
September 12, 1997, [Volume 62, Number 177], pages 48051-48058), NIST 
published evaluation criteria for use in reviewing candidate 
algorithms. For reference purposes, these criteria are reproduced 
below:

[Beginning of Excerpt]

    Security (i.e., the effort required to cryptanalyze).
    The security provided by an algorithm is the most important 
factor in the evaluation.
    Algorithms will be judged on the following factors:
    i. Actual security of the algorithm compared to other submitted 
algorithms (at the same key and block size).
    ii. The extent to which the algorithm output is 
indistinguishable from a random permutation on the input block.
    iii. Soundness of the mathematical basis for the algorithm's 
security.
    iv. Other security factors rasied by the public during the 
evaluation process, including any attacks that demonstrate that the 
actual security of the algorithm is less than the strength claimed 
by the submitter.
    Claimed attacks will be evaluated for practicality.

Cost

    i. Licensing requirements: NIST intends that when the AES is 
issued, the algorithm(s) specified in the AES shall be available on 
a worldwide, non-exclusive, royalty-free basis.
    ii. Computational efficiency: The evaluation of computational 
efficiency will be applicable to both hardware and software 
implementations. Round 1 analysis by NIST will focus primarily on 
software implementations and specifically on one key-block size 
combination (128-128); more attention will be paid to hardware

[[Page 50061]]

implementations and other supported key-block size combinations 
(particularly those required in the ``Minimum Acceptability 
Requirements'' section) during Round 2 analysis.
    Computational efficiency essentially refers to the speed of the 
algorithm. NIST's analysis of computational efficiency will be made 
using each submission's mathematically optimized implementations on 
the platform specified under ``Round 1 Technical Evaluation'' below. 
Public comments on each algorithm's efficiency (particularly for 
various platforms and applications) will also be taken into 
consideration by NIST.
    iii. Memory requirements: The memory required to implement a 
candidate algorithm--for both hardware and software implementations 
of the algorithm--will also be considered during the evaluation 
process. Round 1 analysis by NIST will focus primarily on software 
implementations; more attention will be paid to hardware 
implementations during Round 2.
    Memory requirements will include such factors as gate counts for 
hardware implementations, and code size and RAM requirements for 
software implementations.
    Testing will be performed by NIST using the mathematically 
optimized implementations provided in the submission package. Memory 
requirement estimates (for different platforms and environments) 
that are included in the submission package will also be taken into 
consideration by NIST. Input from public evaluations of each 
algorithm's memory requirements (particularly for various platforms 
and applicants) will also be taken into consideration by NIST.

Algorithm and Implementation Characteristics

    i. Flexibility: Candidate algorithms with greater flexibility 
will meet the needs of more users than less flexible ones, and, 
therefore, inter alia, are preferable. However, some extremes of 
functionality are of little practical application (e.g., extremely 
short key lengths)--for those cases, preference will not be given.
    Some examples of ``flexibility'' may include (but are not 
limited to) the following:
    a. The algorithm can accommodate additional key- and block-sizes 
(e.g., 64-bit block sizes, key sizes other than those specified in 
the Minimum Acceptability Requirements section, [e.g., keys between 
128 and 256 that are multiples of 32 bits, etc.]).
    b. The algorithm can be implemented securely and efficiently in 
a wide variety of platforms and applications (e.g., 8-bit 
processors, ATM networks, voice & satellite communications, HDTV, B-
ISDN, etc.).
    c. The algorithm can be implemented as a stream cipher, Message 
Authentication Code (MAC) generator, pseudo-random number generator, 
hashing algorithm, etc.
    ii. Hardware and software suitability: A candidate algorithm 
shall not be restrictive in the sense that it can only be 
implemented in hardware. If one can also implement the algorithm 
efficiency in firmware, then this will be an advantage in the area 
of flexibility.
    iii. Simplicity: A candidate algorithm shall be judged according 
to relative simplicity of design.

[End of excerpt]

5. Initial Planning for the Third AES Candidate Conference (AES3)

    Near the end of Round 2, NIST will sponsor the Third AES Candidate 
Conference (AES3)--another open, public forum that will be used to 
discuss analyses of the AES finalists. Additionally, submitters of the 
AES finalists will be invited to attend and engage in discussions 
regarding comments on their algorithms.
    AES3 will be held April 13-14, 2000, at the Hilton New York and 
Towers, in New York City. The AES home page contains registration and 
logistical information, in addition to information on other nearby 
hotels. As for AES2 (March 22-23, 1999), AES3 will be held during the 
same week and at the same location as the Fast Software Encryption 
(FSE) Workshop (a link to FSE information will be available on the AES 
home page).
    Paper submissions for AES3 should be sent to AES[email protected] as 
an official comment, with a note indicating that the paper is being 
submitted for AES3. The deadline for AES3 submissions is January 15, 
2000. All papers must be submitted in one of the following formats: 
Adobe PDF, Postscript, Rich Text Format (RTF), or Microsoft Word97. 
(For Adobe PDF and Postscript submissions, please embed all necessary 
fonts within the document.) All papers received for AES3--regardless of 
their acceptance for presentation at AES3--will be made available on 
the AES home page prior to the conference.

Appreciation

    NIST extends its appreciation to all AES candidate algorithm 
submitters--both those submitters whose algorithms did and did not 
quality for Round 2--and those people providing public comments during 
the AES development process.

    Dated: September 9, 1999.
Karen Brown,
Deputy Director, NIST.
[FR Doc. 99-24014 Filed 9-14-99; 8:45 am]
BILLING CODE 3510-CN-M'